Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Darktrace Model Breach Legacy

Darktrace Model Breach Legacy

Back
Ida3c7b8ed-56a9-47b7-98e5-2555c16e17c9
RulenameDarktrace Model Breach (Legacy)
DescriptionThis rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.
SeverityMedium
TacticsInitialAccess
Execution
LateralMovement
CommandAndControl
TechniquesT1190
T1059
T1021
T1071
Required data connectorsDarktraceRESTConnector
KindNRT
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml
Version1.1.1
Arm templatea3c7b8ed-56a9-47b7-98e5-2555c16e17c9.json
Deploy To Azure
darktrace_model_alerts_CL 
| where dtProduct_s =="Policy Breach"
| project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatIdentifier=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceIdentifier=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category
| extend EventCount=1, EventType="NetworkSession", EventSchema="NetworkSession", EventSchemaVersion="0.2.2", EventResult="Success", DvcAction = "Allow", EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity
| extend DtSentinelCategory = case(DtCategory == "Suspicious", "Medium", 
                                  DtCategory == "Critical", "High",
                                  "Informational") 

entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SrcHostname
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: DstHostname
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: DstIpAddr
tactics:
- InitialAccess
- Execution
- LateralMovement
- CommandAndControl
requiredDataConnectors:
- dataTypes:
  - darktrace_model_alerts_CL
  connectorId: DarktraceRESTConnector
alertDetailsOverride:
  alertDescriptionFormat: '{{DtMessage}}'
  alertTacticsColumnName: 
  alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}'
  alertDynamicProperties:
  - value: DtBreachURL
    alertProperty: AlertLink
  - value: EventVendor
    alertProperty: ProviderName
  - value: EventProduct
    alertProperty: ProductName
  - value: ThreatCategory
    alertProperty: ProductComponentName
  - value: DtSentinelCategory
    alertProperty: Severity
  alertSeverityColumnName: 
id: a3c7b8ed-56a9-47b7-98e5-2555c16e17c9
severity: Medium
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  DtSentinelCategory: DtSentinelCategory
  NetworkRuleName: NetworkRuleName
  EventSeverity: EventSeverity
  DstMacAddr: DstMacAddr
  DtDeviceIdentifier: DtDeviceIdentifier
  DtDescription: DtDescription
  NetworkRuleNumber: NetworkRuleNumber
  DtCompliance: DtCompliance
  SrcMacAddr: SrcMacAddr
  ThreatIdentifier: ThreatIdentifier
  EventStartTime: EventStartTime
  DstPortNumber: DstPortNumber
  DtCategory: DtCategory
  SrcPortNumber: SrcPortNumber
query: |
  darktrace_model_alerts_CL 
  | where dtProduct_s =="Policy Breach"
  | project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatIdentifier=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceIdentifier=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category
  | extend EventCount=1, EventType="NetworkSession", EventSchema="NetworkSession", EventSchemaVersion="0.2.2", EventResult="Success", DvcAction = "Allow", EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity
  | extend DtSentinelCategory = case(DtCategory == "Suspicious", "Medium", 
                                    DtCategory == "Critical", "High",
                                    "Informational")   
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml
kind: NRT
queryPeriod: 5m
version: 1.1.1
name: Darktrace Model Breach (Legacy)
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1190
- T1059
- T1021
- T1071
description: |
    'This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.'
triggerOperator: gt